commit 98e8f891b52186834d567345888bc8923ecbca59 Author: CentOS Sources Date: Thu Nov 4 00:46:12 2021 -0400 import openssl-ibmca-2.2.0-3.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fd8588c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/openssl-ibmca-2.2.0.tar.gz diff --git a/.openssl-ibmca.metadata b/.openssl-ibmca.metadata new file mode 100644 index 0000000..9bba6dd --- /dev/null +++ b/.openssl-ibmca.metadata @@ -0,0 +1 @@ +9046d41ba698ef6a493bd0807d7456138c9ab436 SOURCES/openssl-ibmca-2.2.0.tar.gz diff --git a/SOURCES/openssl-ibmca-2.2.0-eckey.patch b/SOURCES/openssl-ibmca-2.2.0-eckey.patch new file mode 100644 index 0000000..6e8d490 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.2.0-eckey.patch @@ -0,0 +1,31 @@ +From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Mon, 31 May 2021 18:00:07 +0200 +Subject: [PATCH] Skip eckey test if needed. + +Without crypto cards on a machine < z15, ibmca might not register with the +EC_KEY subsystem of OpenSSL. In these cases, the eckey test should be skipped +since it is doomed to fail. + +Fixes #69. + +Signed-off-by: Juergen Christ +--- + test/eckey.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/eckey.c b/test/eckey.c +index 35b3df2..6d0870b 100644 +--- a/test/eckey.c ++++ b/test/eckey.c +@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name) + fprintf(stderr, "ibmca engine not loaded\n"); + goto out; + } ++ if (ENGINE_get_EC(engine) == NULL) { ++ fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n"); ++ exit(77); ++ } + eckey = EC_KEY_new_by_curve_name(nid); + if (eckey == NULL) { + /* curve not supported => test passed */ diff --git a/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch b/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch new file mode 100644 index 0000000..04122e8 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch @@ -0,0 +1,105 @@ +From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Thu, 29 Jul 2021 17:38:59 +0200 +Subject: [PATCH] Fix DSA and DH registration. + +DSA does not provide backups by default. + +Also fix typo in DH initialization. + +Signed-off-by: Juergen Christ +--- + src/ibmca_dh.c | 2 +- + src/ibmca_dsa.c | 26 ++++---------------------- + 2 files changed, 5 insertions(+), 23 deletions(-) + +diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c +index 2459cf1..b2b75a9 100644 +--- a/src/ibmca_dh.c ++++ b/src/ibmca_dh.c +@@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void) + + if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL + || (meth1 = DH_OpenSSL()) == NULL +- || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL ++ || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL + || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) + || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) +diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c +index f5bf4e4..3b5ac87 100644 +--- a/src/ibmca_dsa.c ++++ b/src/ibmca_dsa.c +@@ -28,18 +28,10 @@ + * RSA. Just check out the "signs" statistics from the RSA and DSA parts + * of "openssl speed -engine ibmca dsa1024 rsa1024". */ + #ifdef OLDER_OPENSSL +-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, +- BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, +- BIGNUM *m, BN_CTX *ctx, +- BN_MONT_CTX *in_mont); + static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + #else +-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, +- const BIGNUM *p1, const BIGNUM *a2, +- const BIGNUM *p2, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *in_mont); + static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m, +@@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + end: + BN_free(t); + +- if (!to_return && ibmca_dsa_mod_exp_backup) +- return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont); ++ if (!to_return) ++ return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont); + return to_return; + } + + #ifdef OLDER_OPENSSL +-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a, +- const BIGNUM *p, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *m_ctx); + + static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) + #else +-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a, +- const BIGNUM *p, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *m_ctx); + + static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) + #endif + { +- if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup) +- return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx); ++ if (!ibmca_mod_exp(r, a, p, m, ctx)) ++ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return 1; + } + +@@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void) + { + const DSA_METHOD *meth1 = DSA_OpenSSL(); + +- ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp; +- ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp; + dsa_m.dsa_do_sign = meth1->dsa_do_sign; + dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; + dsa_m.dsa_do_verify = meth1->dsa_do_verify; +@@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void) + + if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL + || (meth1 = DSA_OpenSSL()) == NULL +- || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL +- || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL + || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) + || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) + || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) diff --git a/SPECS/openssl-ibmca.spec b/SPECS/openssl-ibmca.spec new file mode 100644 index 0000000..3c38baf --- /dev/null +++ b/SPECS/openssl-ibmca.spec @@ -0,0 +1,222 @@ +%global enginesdir %(pkg-config --variable=enginesdir libcrypto) + +Summary: A dynamic OpenSSL engine for IBMCA +Name: openssl-ibmca +Version: 2.2.0 +Release: 3%{?dist} +License: ASL 2.0 +URL: https://github.com/opencryptoki +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240 +Patch0: openssl-ibmca-2.2.0-eckey.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1989380 +# https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20 +Patch1: openssl-ibmca-2.2.0-fix-registration.patch +Requires: libica >= 3.8.0 +BuildRequires: make +BuildRequires: gcc +BuildRequires: libica-devel >= 3.8.0 +BuildRequires: automake libtool +BuildRequires: openssl +ExclusiveArch: s390 s390x + + +%description +A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines. + + +%prep +%autosetup -p1 + +./bootstrap.sh + + +%build +%configure --libdir=%{enginesdir} --with-libica-cex +%make_build + + +%install +%make_install +rm -f %{buildroot}%{enginesdir}/*.la + +pushd src +sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +popd + +# remove generated sample configs +rm -rf %{buildroot}%{_datadir}/%{name} + + +%check +make check + + +%files +%license LICENSE +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/gensamplecfg.pl +%{enginesdir}/ibmca.so +%{_mandir}/man5/ibmca.5* + + +%changelog +* Mon Aug 09 2021 Mohan Boddu - 2.2.0-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Mon Aug 09 2021 Dan Horák - 2.2.0-2 +- fix DSA and DH registration (#1989380) +- Resolves: #1989380 + +* Fri Jun 04 2021 Dan Horák - 2.2.0-1 +- updated to 2.2.0 (#1869531) +- eliminate SW fallback functions (#1924117) +- Resolves: #1869531 #1924117 + +* Wed May 12 2021 Dan Horák - 2.1.2-1 +- updated to 2.1.2 + +* Fri Apr 16 2021 Mohan Boddu - 2.1.1-4 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 2.1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 2.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue May 12 2020 Dan Horák - 2.1.1-1 +- updated to 2.1.1 + +* Wed Jan 29 2020 Fedora Release Engineering - 2.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Sep 09 2019 Dan Horák - 2.1.0-1 +- updated to 2.1.0 + +* Thu Jul 25 2019 Fedora Release Engineering - 2.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Apr 24 2019 Dan Horák - 2.0.3-1 +- updated to 2.0.3 + +* Fri Feb 01 2019 Fedora Release Engineering - 2.0.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Dec 13 2018 Dan Horák - 2.0.2-1 +- updated to 2.0.2 + +* Thu Aug 23 2018 Dan Horák - 2.0.0-3 +- run upstream test-suite during build + +* Fri Jul 13 2018 Fedora Release Engineering - 2.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jun 18 2018 Dan Horák - 2.0.0-1 +- updated to 2.0.0 + +* Fri Feb 23 2018 Dan Horák - 1.4.1-1 +- updated to 1.4.1 + +* Thu Feb 08 2018 Fedora Release Engineering - 1.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 24 2018 Dan Horák - 1.4.0-2 +- update engine filename +- spec cleanup + +* Mon Sep 11 2017 Dan Horák - 1.4.0-1 +- updated to 1.4.0 + +* Thu Aug 03 2017 Fedora Release Engineering - 1.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Mar 08 2017 Dan Horák - 1.3.1-1 +- updated to 1.3.1 and OpenSSL 1.1 + +* Sat Feb 11 2017 Fedora Release Engineering - 1.2.0-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 1.2.0-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 1.2.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Nov 05 2014 Dan Horák - 1.2.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.2.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Mar 19 2014 Dan Horák - 1.2.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 1.2.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jul 20 2012 Fedora Release Engineering - 1.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Apr 20 2012 Dan Horák - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Jul 07 2011 Dan Horák - 1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Apr 22 2010 Dan Horák - 1.1-2 +- fixed opening of the libica library (#584765) +- Resolves: #584765 + +* Thu Mar 4 2010 Dan Horák - 1.1-1 +- rebased to 1.1 instead of patching +- Resolves: #568847 + +* Thu Feb 18 2010 Dan Horák - 1.0.0-5 +- added patch with port to libica 2.x API +- Related: #543948 + +* Wed Feb 10 2010 Dan Horák - 1.0.0-4 +- added explicit dependency on libica, because it's dlopened +- Related: #543948 + +* Tue Jan 12 2010 Dan Horák - 1.0.0-3 +- rebuild +- Related: #543948 + +* Sat Jul 25 2009 Fedora Release Engineering - 1.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 9 2009 Dan Horak - 1.0.0rc2-1.el5.4 +- Fixed several issues with failure of using ibmca engine (#227644) + +* Tue Dec 12 2006 Phil Knirsch - 1.0.0rc2-1.el5.3 +- Added missing symlinks for libs (#215735) +- Added samle config file (#215735) + +* Thu Nov 23 2006 Phil Knirsch - 1.0.0rc2-1.el5.2 +- Necessary fix so openssl finds the module properly (#215735) + +* Thu May 11 2006 Phil Knirsch - 1.0.0rc2 +- Initial package.